Email address:

Connect with us

Over 125 Android apps and websites have been affected by a massive android app ad fraud scheme discovered by fraud detection firm Pixalate in July 2018. Buzzfeed news worked on Pixalate’s initial report to uncover the sinister details of the ad fraud that have so far seen millions of dollars in ad revenue stolen.

On October 23, an in-depth investigative report by Buzzfeed News uncovered a complex network of shell companies under the umbrella name of MegaCast, aka We Purchase Apps, which was devoted to buying up legitimate Android apps built by other people and then monetizing them with an army of bots. Although botnets have been a massive problem for mobile as well as video advertising, this particular fraud scheme was different – it employed shell companies, fake email ids and websites, and malware to siphon millions in ad revenue.

Buzzfeed was alerted of the ad fraud scheme through Pixalate’s research on the issue which was published in July 2018.

How was the ad fraud scheme carried out?

The report highlights how fraudsters purchased genuine android apps with cash up-front, and then used them to monitor user behavior. This user behavior data was then mimicked by bots alongside real users still interacting with the apps, thereby masking the fraud. This reaped MegaCast millions of dollars in ad revenue from different companies that were paying to advertise with in-app ad networks, including those run by Google Ads.

The report revealed how more than 125 Android apps and websites are connected to a network of shell companies based in Cyprus, Malta, British Virgin Islands, Croatia, Bulgaria, and elsewhere. A complete list of affected apps appear on a spreadsheet BuzzFeed assembled. The scarier part – more than a dozen of the affected apps are targeted at kids or teens. A person involved in the actual scheme informed Buzzfeed that the ad fraud scheme had stolen hundreds of millions of dollars from brands whose ads were shown to bots instead of real humans.

“This highlights a big structural problem in the digital ad world,” says Reid Tatoris, VP of Product Outreach and Marketing, Distil Networks, speaking exclusively with MTA, adding, “When you read about this complex network of sites referring traffic to each with multiple intermediaries forwarding a single impression along up the chain, it sounds absurd. The problem is this is not at all uncommon; it happens all the time. This particular network was clearly fraudulent, but the ecosystem set up to package and repackage traffic with no clear indication of original source makes it easier for fraud like this to thrive.”

Google takes action against ad fraud

Since the fraud included Android apps, Buzzfeed also informed Google about it. Google immediately took action against the apps involved in the scheme. “While our internal systems had previously caught and blocked violating websites from our ad network, in the past week we also removed apps involved in the ad fraud scheme, so they can no longer monetize with Google,” the company clarified on their blog. "Further, we have blacklisted additional apps and websites that are outside of our ad network, to ensure that advertisers using Display & Video 360 (formerly known as DoubleClick Bid Manager) do not buy any of this traffic. We are continuing to monitor this operation and will continue to take action if we find any additional invalid traffic.”

Google’s dollar value estimate of the impacted Google advertisers spend across the apps and websites involved in the operation is under $10 million. “The majority of impacted advertiser spend was from invalid traffic on inventory from non-Google, third-party ad networks.,” added Google. Despite the action, the reality remains that Google hadn’t proactively weeded out the malware and fraudulent apps. The problem lies exactly there because the company's processes for reviewing Google Play content isn’t as robust as the Apple Store, which itself hasn’t proven to have a foolproof system either.

Mobile ads and ad fraud

Research around ad fraud demands that marketers push the platforms they use, as well as themselves, to be more vigilant of fraudulent tactics. AppsFlyer, an app metrics firm, estimated that mobile ad fraud has grown by 30% between $700 million and $800 million in Q1 2018 from 2017. The report, titled ‘State of Mobile Fraud Q1 2018’, explains: “A quick look at 2018 vs. 2017 yields the following insights: a) A 15% rise in the rate of app install fraud, b) A 10% increase in the cost of media, and c) A 25% rise of non-organic installs.”

Tatoris believes that the only way to stop these fraud networks is to analyze actual user behavior on each impression. “Many verification companies look for interaction, but that's exactly why criminals have developed the type of replay attack you see here. Attacks are now so sophisticated that you have to go beyond just looking for the presence of interaction and look for the behavior you expect to see from a real user in a particular case,” he explains.

Through its ongoing research, Pixalate has unveiled that 23% of all ad impressions in mobile apps are fraudulent in some way. When it comes to mobile fraud, neither advertiser, nor app exchange, nor any ad network is immune. Advertisers are dealing with click spam, hyperactive devices and other forms of fraud.

What we ask of marketers in this scenario is to be aware of this issue and remain hyper-vigilant. Marketers should also be very careful about how they set up their digital advertising campaigns. If the ROI seems too good to be true – please question it!

What’s your advice for marketers in such a scenario? Let us know in the comments below.